Hide Forgot
Description of problem: Nightly version of oc client is error out when try to login to cluster using `--insecure-skip-tls-verify` option. Version-Release number of selected component (if applicable): $ oc version Client Version: 4.8.0-0.nightly-2021-03-04-014703 How reproducible: ``` $ oc version --client Client Version: 4.8.0-0.nightly-2021-03-04-014703 $ oc login --insecure-skip-tls-verify -u kubeadmin -p xKoZo-BLF3h-eCdfE-EhQ8q https://api.crc.testing:6443 error: specifying a root certificates file with the insecure flag is not allowed $ /usr/local/bin/oc version --client Client Version: 4.6.17 $ /usr/local/bin/oc login --insecure-skip-tls-verify -u kubeadmin -p xKoZo-BLF3h-eCdfE-EhQ8q https://api.crc.testing:6443 Login successful. ``` Actual results: error: specifying a root certificates file with the insecure flag is not allowed Expected results: login should be successful. Additional info:
Mike I wonder if that's related to your recent changes to how we treat --insecure-skip-tls-verify.
Yeah, that does look suspiciously like a regression The error comes from k8s.io/client-go/transport/transport.go: https://github.com/openshift/oc/blob/f7835631278b03e4388f65145b56e1fd93bf4e37/vendor/k8s.io/client-go/transport/transport.go#L64-L66 That Insecure field is copied from the rest.Config object: https://github.com/openshift/oc/blob/f7835631278b03e4388f65145b56e1fd93bf4e37/vendor/k8s.io/client-go/rest/transport.go#L70 I think this is the field we tied the --insecure-skip-tls-verify flag to in https://github.com/openshift/oc/pull/746: https://github.com/damemi/oc/blob/2e4a10d26057354829acd2c47a848a39f188b198/pkg/cli/login/loginoptions.go#L137 So, it seems the fix we went with is not the right way to fix this, or it needs to be addressed upstream. This level of client/auth knowledge is a bit beyond my scope so I don't know the best way to address this. Though, I think we should revert the PR for now.
Can't reproduce now : [root@localhost ~]# oc login --insecure-skip-tls-verify -u kubeadmin -p ieLYM-fKSif-aui2z-B4vx7 https://api.yinzhou8aws.qe.devcluster.openshift.com:6443 Login successful. You have access to 62 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "default". [root@localhost ~]# oc version Client Version: 4.8.0-202103080232.p0-f749845 Server Version: 4.8.0-0.nightly-2021-03-06-055252 Kubernetes Version: v1.20.0+aa519d9
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438